the-value-of-threat-intelligence-from-anomali

Introduction

Ponemon Institute is pleased to present The Value of Threat Intelligence: Annual Study of North American and United Kingdom Companies, sponsored by Anomali. The purpose of this research is to examine trends in the benefits of threat intelligence and the challenges companies face when integrating threat intelligence with existing security platforms and technologies.

Only respondents who report their organization uses threat intelligence as part of their cybersecurity program completed the survey. A total of 1,098 IT and IT security practitioners in North America and the United Kingdom participated in this research. According to the findings, these participants strongly believe in the importance and value of threat intelligence data but are struggling to maximize its effectiveness in detecting cyber threats.

Participants in this research were asked to rate the importance and effectiveness of threat intelligence with respect to having a strong security posture on a scale from 1 = low to 10 = high.Respondents continue to say threat intelligence is important, but have not made progress in improving its effectiveness. We refer to this as the threat intelligence gap.

Closing the threat intelligence effectiveness gap

The importance of threat intelligence as part of an IT security mission should encourage organizations to take steps to improve how it is used. Following are recommendations to close the threat intelligence effectiveness gap.

  • Establish a formal and dedicated team to manage threat intelligence activities.
  • Allocate adequate budget to threat intelligence, including threat hunting and advanced attacker investigations.
  • Participate in threat intelligence sharing. § Participate in an ISAC/ISAO or other industry sharing group. 
  • Increase the security team’s knowledge about adversaries including their motivations, infrastructure and methods. 
  • Improve ability to integrate threat intelligence with their tools. § Improve ability to integrate threat intelligence data with SIEM and IDS/IPS.

Best practices in threat intelligence

In this section of the report, we outline eight best practices for threat intelligence. These best practices are extrapolated from 198 respondents who self-reported their organizations as highly effective in detecting external threats.

The eight best practices of high performing organizations

1. Adequate budget. Forty-one percent of high performing organizations have resources that focus on threat detection vs. only 33 percent of respondents in the overall sample.

2. Focused on improving the use of threat intelligence to detect threats. Seventy-two percent of respondents in high performing organizations rate their organizations’ use of threat intelligence data as part of its threat detection efforts as highly effective. In contrast, 41 percent of respondents in the overall sample rate their effectiveness as very high.

3. Understand their adversaries. Virtually all high performing organizations want to understand the motivations, infrastructure and methods of attackers.

4. Pay for threat intelligence. Sixty percent of respondents say the primary source of threat intelligence is paid threat intelligence feeds. Twenty-three percent of respondents in the overall sample are more likely than high performing organizations to use open source threat intelligence feeds.

5. Implement a dedicated threat intelligence platform. Sixty-nine percent of respondents in high performing organizations have a dedicated threat intelligence platform but less than half (48 percent) of respondents in the overall sample have this.

6. Integrate threat intelligence with its SIEM and IDS/IPS with less difficulty than the overall sample. Eight-six percent of respondents in high performing organizations either integrate threat intelligence data from a threat intelligence platform (45 percent) or integrate built-in threat intelligence data provided by the SIEM vendor (41 percent). Eighty-one percent of these respondents say their organizations integrate threat intelligence with their IDS/IPS. High performing organizations also report that the integration with SIEM and IDS/IPS was not as difficult as the overall sample believes.

7. Share intelligence with other organizations. Seventy-seven percent of respondents in high performing organizations share threat intelligence with other organizations vs. 59 percent of respondents in the overall sample.

8. Have a dedicated threat hunting team. Fifty-nine percent of high performing organizations have a dedicated threat hunting team vs. 43 percent of respondents in the overall sample.

Key findings

In this section of the report, we provide the detailed findings and trends of the research. Whenever possible, findings from the 2017 research are presented. The complete research is shown in the Appendix of this report. We have organized the report according to the following topics.

  • The state of threat detection
  • Threat detection strategies and threat hunting 
  • Threat intelligence platform and integration 
  • Best practices from high-performing organizations

The state of threat detection

APT attacks and theft of high value data are both the most worrisome and the most time consuming to resolve. According to Figure 2, 62 percent of respondents say APT-based attacks are the most time-consuming attacks and 57 percent of respondents say it is of greatest concern. The theft of such high value data as financial information and intellectual property are also both time consuming to resolve (55 percent of respondents) and worrisome (52 percent of respondents). Forty-six percent of respondents say resolving phishing attacks is most time consuming, but only 24 percent of respondents say it is a significant concern.

To read full download the whitepaper:
The Value of Threat Intelligence From Anomali

SEND ME WHITEPAPER

Previous articleManaging Threat Intelligence
Next articleZenGRC: The Art of Risk Management